The proposed ban on using TikTok in the U.S. is now just a few days away, and chances of a successful sale to an American buyer could be frustrated by new Chinese regulations. If ByteDance, the Chinese owner of TikTok, doesn’t sell to such a buyer by the end of September 15, then the ban will likely come into effect without further delay. Unsurprisingly, U.S. lovers of the social video-sharing platform have been looking for alternative ways of getting the TikTok app and ongoing updates. Just as unsurprisingly, threat actors have been looking to exploit the fear, uncertainty, and doubt created by Trump’s decision to ban TikTok.
Warning issued about dangerous new TikTok Pro app
Security researchers have now issued a warning about a dangerous new TikTok Pro app that is targeting Android users. TikTok Pro is a fake app with highly malicious intent: it can capture photos, read and send text messages, make calls and even steal passwords, according to Threatpost.
Sean Wright, SME application security lead at ImmersiveLabs, told me in conversation that “this looks to be a rather nasty piece of malware which ironically would severely impact a user’s privacy, the very thing which TikTok is supposedly being banned for.” It is, Wright says, “another example of how attackers leverage any development, be it a natural disaster or technology issue, as a means to spread their malicious software or attacks.”
How TikTok Pro spreads
Distribution would appear to be driven by an SMS and WhatsApp message campaign that urges TikTok lovers to download the latest ‘Pro’ version of the TikTok app from a specified weblink. “Upon installation, the spyware portrays itself as TikTok using the name TikTok Pro,” Shivang Desai, a senior security researcher at Zscaler which discovered the threat, said. ” As soon as a user tries to open the app, it launches a fake notification, and soon the notification, as well as the app icon, disappears. This fake notification tactic is used to redirect the user’s attention; meanwhile, the app hides itself, making the user believe the app to be faulty,” Desai warned.
Coming in dangerous waves
This campaign appears to have emerged in two distinct waves. The first version of the app is looking for Android usage permissions for the camera and phone, but delivering adverts as the payload. It quickly moved to phase two, which sees the TikTok Pro app evolve into fully-fledged and dangerous spyware. This app is capable of gathering as much private data as possible, it would seem, and even stretches its reach to Facebook credentials by way of launching a fake login page. The latter being unique, at the moment, to this TikTok Pro app campaign.
While admitting that the Facebook credential-stealing capability is interesting, it also “highlights the importance of having two-factor authentication (2FA) on your accounts,” Wright says, adding, “while 2FA may not always protect you, it certainly provides a greater barrier.”
“As a reasonably sophisticated escalation of privilege attack,” Tom Lysemose Hansen, CTO at Promon, says, “it is capable of reading all of a device’s data, including text messages and login credentials, making it a very concerning problem for the general public.” That this campaign is targeted at young people, “many of whom are likely to be children,” Lysemose Hansen says, “makes the situation even more grave. Unless their parents or carers work in cybersecurity, many of the victims are unlikely to know what to look out for when these types of attacks strike, or even better, how to prevent them.”
Wright says that this also highlights a situation where “politics gets in the way and has a negative impact,” adding that “we have yet to see concrete evidence behind the claims made about TikTok, and ironically this move to ban TikTok has perhaps jeopardized users’ privacy more by giving a platform to these malicious apps.”
Mitigating the risk posed by TikTok Pro app
Both Wright and Lysemose Hansen advise that only apps from official app stores are installed and created by trusted, reputable developers. “One way to check this is to see if the developer has created any other apps,” Lysemose Hansen says, “and check the reviews for any and all apps they have developed.”
“Always check the app permissions to ensure that it isn’t asking for permissions for something which it wouldn’t need,” Wright concludes, “for example, a flashlight app requiring permissions to your contact list, this should immediately set alarm bells ringing and warrant further investigation.”
Shivang Desai, meanwhile, said that keeping the ‘unknown sources’ option disabled for your Android device, so that apps from unofficial sources and stores cannot be installed, is sound mitigation.
I have reached out to ByteDance for comment regarding the TikTok Pro app threat and will update this article if any is forthcoming.